First, it further highlights how fragile our privacy has become since we live in a digital world with details of our life being kept on the internet: personal blogs, twitter feeds, Facebook or Government/Health records, etc. All this data is available online if you have the right access to the system it is held on. But it is not just still photos or lines of texts, it can also be live pictures through personal webcams or state surveillance cameras. Again, that data is available if you have the right credentials. In this case, hundreds of Trendnet webcam users thought/thinks their live video feed was protected through the use of a userid and password, but a bug in its firmware allows anyone to access it by adding a simple “/anony/mjpg.cgi” at the end of the webcam IP address. If you think about the number of devices around you that have a built-in camera, from computer screens to mobile phones, it is a scary thought if they were to be compromised in such manner. A quick google around will report many different ways to remotely access those cameras, and although they require user intervention, meaning the outcome is what is intended or for the “victim” to be a willing participant, couldn’t a worm be created to exploit those video streams and invade many people’s privacy?

Secondly, it shows how long it can take before such story makes the headline. It took a month from the vulnerability to be exposed and for most security websites to write about it. If means many Trendnet users had their privacy exposed for a long period of time!

Finally, Shodan. It is a website referenced in the original hacking article as a way to quickly identified vulnerable webcams out there (and many other things). I must admit I overlooked that website when I first heard of it on the Register over a year ago. It seems like a great resource but I am not sure if it serves Good or Evil.

It is maybe time to put that sticky tape on your built-in webcam when not using it :)